Data Breaches Ransomware and Cyber Attacks

Data Breaches Ransomware and Cyber Attacks

It’s unrealistic to think that you can completely avoid cyberattacks and data breaches, so it’s vital to have a proper data recovery plan in place. You can also tighten your defenses significantly by ensuring all of your network devices are properly configured, and by putting some thought into all of your potential network borders.

Data Recovery Capability

Do you have a proper backup plan in place? Have you ever tested it to see that it works? Disaster recovery is absolutely vital, but an alarming number of companies do not have an adequate system in place. A survey of 400 IT executives by IDG Research revealed that 40% rate their organizations’ ability to recover their operations in the event of disaster or disruption as “fair or poor.” Three out of four companies fail from a disaster recovery standpoint, according to the Disaster Recovery Preparedness Benchmark.

A successful malware attack can lead to altered data on all compromised machines and the full effects are often very difficult to determine. The option to roll back to a backup that predates the infection is vital. Backed up data must be encrypted and physically protected. It’s also important that a test team routinely checks a random sampling of system backups by restoring them and verifying data integrity.

Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

The default configurations for network devices like firewalls, routers, and switches are all about ease of use and deployment. They aren’t designed with security in mind and they can be exploited by determined attackers. There’s also a risk that companies will create exceptions for business reasons and then fail to properly analyze the potential impact.

The 2015 Information Security Breaches Survey found that failure to keep technical configuration up to date was a factor in 19% of incidents. Attackers are skilled at seeking out vulnerable default settings and exploiting them. Organizations should have standardized secure configuration guidelines applied across devices. Security updates must be applied in a timely fashion.

You need to employ two-factor authentication and encrypted sessions when managing network devices, and engineers should use an isolated, dedicated machine without Internet access. It’s also important to use automated tools to monitor the network and track device configurations. Changes should be flagged and rule sets analyzed to ensure consistency.

Boundary Defense

When the French built the Maginot Line in World War II, a series of impregnable fortifications that extended along the border with Germany and beyond, it failed to protect them because the Germans invaded around the North end through neutral Belgium. There’s an important lesson there for security professionals: Attackers will often find weaknesses in perimeter systems and then pivot to get deeper into your territory.

They may gain access through a trusted partner, or possibly an extranet, while your defensive eye is focused on the Internet. Effective defenses are multi-layered systems of firewalls, proxies, and DMZ perimeter networks. You need to filter inbound and outbound traffic and take caution not to blur the boundaries between internal and external networks. Consider network-based IDS sensors and IPS devices to detect attacks and block bad traffic.

Segment your network and protect each sector with a proxy and firewall to limit access as far as possible. If you don’t have internal network protection, then intruders can get their hands on the keys to the kingdom by successfully breaching the outer defenses.

The real cost

A lot of businesses argue that they can’t afford a comprehensive disaster recovery plan, but they should really consider whether they can afford to lose all their data or be uncertain about its integrity. They may lack the expertise to ensure that network devices are securely configured, but attackers don’t lack the skills to exploit that. It’s understandably common to focus on the outer boundary of your network and forget about threats that come from unexpected directions or multiply internally, but it could prove costly indeed.

Compared to the cost of a data breach, all of these things are cheap and easy to set up

HealthCare.gov system hack leaves 75,000 individuals exposed

Centers for Medicare and Medicaid Services (CMS) experienced a data breach leading to exposure of highly sensitive personal data of nearly 75,000 people. The CMS is a government system linked with healthCare.gov which assists insurance agents and brokers in helping people register for its healthcare plans.

A hack was detected earlier this month in a government computer system that works alongside HealthCare.gov, exposing the personal information of approximately 75,000 people, according to the agency in charge of the portal.

The Centers for Medicare and Medicaid Services made the announcement late in the afternoon ahead of a weekend, a time slot that agencies often use to release unfavorable developments.

The announcement was made late Friday by the CMS to confirm the data breach but details about the stolen data and content haven’t been provided as yet. It is, however, confirmed that personal files of 75,000 people have been exposed to hackers.

The brokers and agents use the Federally Facilitated Exchange’s Direct Enrollment pathway to convince customers to enroll in health insurance. The pathway was compromised by the attackers between 13 Oct and 16 Oct 2018, confirmed CMS.

The hacked system was connected to the Healthcare.gov website, the front-facing portal for anyone signing up for an insurance plan under former President Obama’s healthcare law, the Affordable Care Act. Hackers targeted the behind-the-scenes system that insurance agents used to help customers directly enroll in new plans, and not the consumer Healthcare.gov site itself. 

In order to sign up for healthcare plans, customers have to give over a ton of personal data — including names, addresses, and their social security number. CMS didn’t say exactly what kind of data was included in the stolen files, nor did it say how the breach happened.

About 10 million people currently have private coverage under former President Barack Obama’s health care law.

Consumers applying for subsidized coverage have to provide extensive personal information, including Social Security numbers, income and citizenship or legal immigration status.

The system that was hacked is used by insurance agents and brokers to directly enroll customers. All other signup systems are working.

CMS spokesman Johnathan Monroe said “nothing happened” to the HealthCare.gov website used by the general public. “This concerns the agent and broker portal, which is not accessible to the general public,” he said.

Federal law enforcement has been alerted and affected customers will be notified and offered credit protection.

Cyber Insurance - Is a must have - you will need it

Cyber Insurance - Is a must have - you will need it.

It’s every healthcare organization’s nightmare to get the call that their data has been breached or hacked. As a result, many have turned to cyber insurance to protect assets and business operations.

As cyber policies and carriers lack a universal policy, there’s an even greater worst case scenario: An organization is breached, and the policy doesn’t cover what the leaders thought it did. Now, not only is the healthcare provider strapped with the burden of the breach, it wasted money on a useless cyber insurance policy.

To get a better grasp on how to choose the right policy, Healthcare IT News asked attorney Matthew Fisher, partner with Mirick O’Connell, and Jane Harper, Henry Ford Health System’s director of privacy and security risk management, to outline the biggest policy mistakes -- and how to avoid them.

Mistake #1: Rushing the process

When buying a policy, a carrier will provide a questionnaire that will evaluate your organization’s security posture, program, tools and policies. The biggest mistake is to rush the pre-policy process to see the rates and what the carrier will cover, explained Fisher.

Organizations need to be conservative with how they answer the questions, as “it could be a ground for denial, if you don’t have the policies you said you have in place,” said Fisher. “You have to make sure you’re not unintentionally misleading the insurance company when it comes to coverage.”

Often these questionnaires attempt to create a black and white policy and “it can be tough to answer correctly,” explained Fisher.

“Your ability to be as transparent and truthful upfront is critical to the nonpayment discussion,” said Harper. “If you tell the insurance company that you have everything in place and are compliant, if you tell them that and then you have an issue, and you weren’t truthful, it ends up being a legal battle.”

“When you submit your checklist that they have you fill out, meet with the underwriter to make sure you understand what you’ve documented,” she added. “You also need the copy that was provided to the insurance company because it will come back into play when you submit the final documents.”

For example, if you say you have a specific control in place, and you actually don’t, Harper explained that can create a situation where “they thought they had an understanding of something, but they didn’t.”

“Be honest, transparent and accurate -- because they can deny your policy if you were inaccurate or misleading in your responses,” she said.

Mistake #2: Lax, incomplete risk assessment

It’s easier to prevent a misleading or false statement to an underwriter, when an organization has a strong assessment and inventory of the processes and tools on the system. But far too often, hospitals “don’t know everything about the control environment,” explained Harper.

“When you talk about protecting an system and preventing a cyber incident, you have to have a good understanding of the organization’s overall control environment,” Harper said. “It’s key, as the longer it takes you to identify that you’ve had an incident, it leads to more exposure and the longer it takes to recover.”

But it’s also important to remember to update this inventory or assessment when buying new tools, merging with other organizations, hiring new staff and the like, Harper explained.

“Think about all of the activities and operations that happen,” she said. “And every three years, you’re updating a cybersecurity checklist -- that may not be frequent enough.”

For example, Harper explained that an organization filling out the policy questionnaire may have all of the right elements in place. But if another tool was purchased and the controls weren’t updated or the control was removed and the underwriter was not notified, there could be a problem.

“If those controls played into how the underwriter rated you: that can be key,” said Harper. “Think about your own home: you get additional discounts when you have a burglar alarm. So if you get one, and let them know, you may get a lower rate…  But if you no longer have that control, you have to tell the carrier.”

“It’s the same kind of practice that we want to get into when we get into cyber insurance for our organization,” she added.

Mistake #3: Failing to involve the right people

Many organizations understand that security needs to exist outside of the IT team. In the same vein, it’s crucial when buying a cyber insurance policy that the same mentality is applied to make sure all of your bases are covered.

“Make sure you are talking to the right individuals,” Harper said. “The appropriate key stakeholders are not only involved with the evaluation process - how many patients, how much data, etc. -- but also the responses to the questions the policy is going to ask.”

“Risk folks typically talk about it as it relates to patients,” she continued. “Those folks are key, but in addition, you need your privacy and security risk professionals, security officers, IT leader, your key business leaders/owners and those driving the data. It’s key.”

Also crucial? Making sure the facilities team is involved, as there can sometimes be a cyber incident based on a physical issue. Harper explained that “often people tend to focus on things like electronic PHI, but there’s physical PHI. If there’s a break in at a warehouse and data is stolen, OCR considers that a breach.”

Mistake #4: Failing to understand coverage

Far too often organizations make large assumptions as to just what cyber insurance will cover. Fisher explained that these leaders are often shocked to learn that they did not receive the full spectrum of coverage they wanted.

“Relying on blind faith on those terms, or what the broker or agent is telling you is a major mistake,” said Fisher. “It’s always up to up to you to go into something with eyes fully wide open to make sure you know what you’re actually buying.”

Harper took it a step further and laid to rest a common misconception when it comes to coverage: “Insurance will not cover fines and penalties associated with noncompliance. If you’re not complaint, and you didn’t do risk assessments, cyber insurance won’t protect you from that, so don’t expect it.”

Facebook Data Taken- Breach

SAN FRANCISCO – Facebook says 30 million fewer accounts were breached than originally thought in one of the worst security incidents at the giant social network – 30 million instead of 50 million – but attackers made off with sensitive personal information from nearly half of those users that could put them at serious risk, including phone number and email address, recent searches on Facebook, location history and the types of devices people used to access the service.

Hackers got their hands on data from 30 million accounts as part of last month's attack, Facebook disclosed Friday. Facebook originally estimated that 50 million accounts could have been affected but the company didn't know if they had been compromised.

For about half of those whose accounts broken into – some 14 million people – the hackers looted extensive personal information such as the last 10 places that Facebook user checked into, their current city and their 15 most recent searches. For the other 15 million, hackers accessed name and contact details, according to Facebook. Attackers didn’t take any information from about 1 million people whose accounts were affected. Facebook says hackers did not gain access to financial information, such as credit-card numbers.

The company would not say what the motive of the attackers was but said it had no reason to believe the attack was related to the November midterm elections.

Facebook users can check if their data was stolen by visiting the company's Help Center. Facebook says it will advise affected users on how they can protect themselves from suspicious emails and other attempts to exploit the stolen data. Guy Rosen, Facebook's vice president of product management, said the company hasn't seen any evidence of attackers exploiting the stolen data or that it had been posted on the dark web.

Affected users should be on the lookout for unwanted phone calls, text messages or emails from people they don't know and attempts to use their email address and phone number to target spam or attempts to phish for other information. Facebook users should also be wary of messages or emails claiming to be from Facebook, the company said.

Third-party apps and Facebook apps such as Instagram and WhatsApp were not compromised, according to Facebook. Hackers were not able to access any private messages but messages received or exchanged by Facebook page administrators may have been exposed.

Security experts say the 14 million users who had extensive personal information swiped are now extremely vulnerable. Colin Bastable, CEO of Lucy Security, which focuses on cybersecurity prevention and awareness, painted an especially grim scenario.

"The truth is that, as a result of this news, millions of phishing attacks will now be launched, pretending to be from Facebook. Up to 20 percent of recipients will click and a large number of those will be successfully attacked, many of them using work computers and mobile devices," Bastable said. "Businesses and governments will lose money, ransomware attacks will result from this leak, and the attack will reverberate over many months."

The culprits behind the massive hack have not been publicly identified. The FBI is actively investigating the hack and asked Facebook not to disclose any information about potential perpetrators, Rosen said. When they disclosed the breach two weeks ago, Facebook officials said they didn't know who was behind the attacks.

The latest disclosure, another in a series of security lapses that have shaken public confidence in Facebook, may intensify political heat on the company. An investigation is underway by Ireland's Data Protection Commission, and Rosen said Facebook is also cooperating with the Federal Trade Commission and other authorities. The FTC declined to comment if it's investigating.

“Today's update from Facebook is significant now that it is confirmed that the personal data of millions of users was taken by the perpetrators of the attack," Ireland’s Data Protection Commission, the watchdog agency charged with privacy protection in the European Union, said in a tweet.

The extent of the personal information compromised by attackers delivered a blow to the public relations campaign Facebook has been waging to convince the more than 2 billion people who regularly use the service that it's serious about protecting their personal information after the accounts of 87 million users were accessed by political targeting firm Cambridge Analytica without their consent and Russian operatives spread propaganda during and after the 2016 presidential election.

This week, Google acknowledged that half a million accounts on its Google + social network could have been compromised by a software bug. The admission prompted lawmakers to call for an FTC investigation. Both incidents could further fuel a congressional push for a national privacy law to protect U.S. users of tech company services.

"These companies have a staggering amount of information about Americans. Breaches don't just violate our privacy, they create enormous risks for our economy and national security," Federal Trade Commission Commissioner Rohit Chopra told USA TODAY after Facebook disclosed the data breach last month. "The cost of inaction is growing, and we need answers."

More: Facebook breach puts your identity at risk. Here's what you can do to protect yourself

More: Largest Facebook hack ever turns up heat on Mark Zuckerberg

More: Facebook's 50 million account breach is already its biggest ever -- and may get even worse

More: Midterms: 'Furious' Democrats purchase blitz of Facebook ads on Kavanaugh, far outpacing GOP spending

After the accounts were compromised last month, more than 90 million users were forced to log out of their accounts as a security measure.

Facebook says attackers exploited a feature in its code that allowed them to commandeer users' accounts. Those accounts included Facebook CEO Mark Zuckerberg and his second-in-command, Sheryl Sandberg.

The attack began Sept. 14. A spike in traffic triggered an internal investigation. More than a week later, on Sept. 25, Facebook identified the vulnerability and fixed it two days later.

The vulnerability was introduced in July 2017 when a feature was added that allows users to upload happy birthday videos.

Attackers exploited a vulnerability in Facebook’s code that affected "View As," a feature that lets people see what their own profile looks like to someone else. The feature was built to give users more control over their privacy. Three software bugs in Facebook's code connected to this feature allowed attackers to steal Facebook access tokens they could then use to take over people's accounts.

These access tokens are like digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use Facebook.

Here's how it worked: Once the attackers had access to a token for one account, call it Jane's, they could then use "View As" to see what another account, say Tom's, could see about Jane's account. The vulnerability enabled the attackers to get an access token for Tom's account as well, and the attack spread from there. Facebook said it has turned off the "View As" feature as a security precaution.

Last month, Facebook reset the tokens of nearly 50 million accounts that it believed were affected and, as a precaution, also reset the tokens for another 40 million accounts that had used "View As" in the past year. Resetting the tokens logged the affected Facebook users out of the service.

A breach of this kind is not a single, isolated event, warned Adrien Gendre, CEO of Vade Secure North America, an email security company. Hackers don't profit from breaking into Facebook accounts. Money's made, he noted, by launching spear phishing attacks using the data they've purloined, an increasingly common form of cyberattack where hackers spoof someone's identity to get them to complete a write transfer or share confidential information.

And that's very bad news for the 14 million Facebook users who had intimate personal information stolen.

Ransomware Business Impacts, Ransomware Business Cost

Projecting the overall cost of a ransomware attack can be tricky for security executives considering the many factors that can come into play when responding to and recovering from one. Information from numerous previous incidents show the costs go well beyond any demanded ransom amount and the costs associated with cleaning infected systems.

Ransomware is defined as a form of malicious software that is designed to restrict users from accessing their computers or files stored on computers till they pay a ransom to cybercriminals. Ransomware typically operates via the crypto virology mechanism, using symmetric as well as asymmetric encryption to prevent users from performing managed file transfer or accessing particular files or directories. Cybercriminals use ransomware to lock files from being used assuming that those files have extremely crucial information stored in them and the users are compelled to pay the ransom in order to regain access.

Ransomware History

It’s been said that Ransomware was introduced as an AIDS Trojan in 1989 when Harvard-educated biologist Joseph L. Popp sent 20,000 compromised diskettes named “AIDS Information – Introductory Diskettes” to attendees of the internal AIDS conference organized by the World Health Organization. The Trojan worked by encrypting the file names on the customers’ computer and hiding directories. The victims were asked to pay $189 to PC Cyborg Corp. at a mailbox in Panama.

From 2006 and on, cybercriminals have become more active and started using asymmetric RSA encryption. They launched the Archiveus Trojan that encrypted the files of the My Documents directory. Victims were promised access to the 30-digit password only if they decided to purchase from an online pharmacy.

After 2012, ransomware started spreading worldwide, infecting systems and transforming into more sophisticated forms to promote easier attack delivery as the years rolled by. In Q3, about 60,000 new ransomware was discovered, which doubled to over 200,000 in Q3 of 2012.

The first version of CryptoLocker appeared in September 2013 and the first copycat software called Locker was introduced in December of that year.

Ransomware has been creatively defined by the U.S. Department of Justice as a new model of cybercrime with a potential to cause impacts on a global scale. Stats indicate that the use of ransomware is on a steady rise and according to Veeam, businesses had to pay $11.7 on average in 2017 due to ransomware attacks. Alarmingly, the annual ransomware-induced costs, including the ransom and the damages caused by ransomware attacks, are most likely to shoot beyond $11.5 billion by 2019.


Ransomware Business Impacts Can Be Worrisome

Ransomware can cause tremendous impacts that can disrupt business operations and lead to data loss. The impacts of ransomware attacks include:

  • Loss or destruction of crucial information

  • Business downtime

  • Productivity loss

  • Business disruption in the post-attack period

  • Damage of hostage systems, data, and files

  • Loss of reputation of the victimized company

You will be surprised to know that apart from the ransom, the cost of downtime due to restricted system access can bring major consequences. As a matter of fact, losses due to downtime may cost tens of thousands of dollars daily.

As ransomware continues to become more and more widespread, companies will need to revise their annual cybersecurity goals and focus on the appropriate implementation of ransomware resilience and recovery plans and commit adequate funds for cybersecurity resources in their IT budgets.

Consider the following examples. The Erie County Medical Center (ECMC) in Buffalo, NY, last July estimated it spent $10 million responding to an attack involving a $30,000 ransom demand. About half the amount went toward IT services, software, and other recovery-related costs. The other half stemmed from staff overtime, costs related to lost revenues, and other indirect costs. ECMC officials estimated the medical center would need to spend hundreds of thousands of dollars more on upgrading technology and employee awareness training.

Public records show that the City of Atlanta spent almost $5 million just in procuring emergency IT services following a March 2018 ransomware attack that crippled essential city services for days. The costs included those associated with third-party incident response services, crisis communication, augmenting support staff and subject matter expert consulting services.

In Colorado, Gov. John Hickenlooper had to set aside $2 million from the state disaster emergency fund after ransomware infected some 2,000 Windows systems at CDOT, the state department of transportation, this February. In less than eight weeks, CDOT officials spent more than half that amount just returning systems to normal from the attack.

Not surprisingly, industry estimates relating to ransomware damages have soared recently. Cybersecurity Ventures, which pegged ransomware costs at $325 million in 2015, last year estimated damages at $5 billion in 2017 and predicted it would exceed $11.5 billion in 2019.

For security executives trying to prepare a total ransomware cost estimate, the key is not to get fixated on the ransom amount itself. Even if you end up paying it to recover your data—something that most security analysts advocate against—the actual costs of the attack in most cases will end up being greater.


What is an MSSP (Managed Security Services Provider?

A managed security service provider (MSSP) is an IT service provider that provides an organization with information security, cybersecurity monitoring and management, which may include policy development, security operation center, compliance services, incident response service, Virtual CISO, risk management program, vulnerability testing, penetration testing, security training and awareness, virus and spam blocking, intrusion detection, firewalls and virtual private network (VPN) management.

How does an MSSP differ from an MSP?

The extra “S” in MSSP indicates that it is more focused on security than a typical MSP. While MSPs are increasingly offering security services (some may even have an MSSP practice rolled into the larger MSP business), MSSPs are purely focused on security. However, even then, according to Keve, MSSPs can encompass a fairly broad umbrella of security services.

managed-security-services-500x500.jpg

For example, MSSP technology offerings may include deploying, configuring, and/or managing the following technologies:

Furthermore, MSSP services may include:

An MSSP may offer a broad, generalized suite of security capabilities and services, or it may specialize in one or a few core focus areas. “Traditionally, MSSPs have been overwhelmingly focused on the perimeter,” assesses Keve. “And, while MSSP offerings are evolving, even today, few MSSP’s tackle IAM, which is a focus of Simeio.”

Another differentiation between MSPs versus MSSPs is NOCs versus SOCs. MSPs frequently establish their own network operation center (NOC) from which they monitor and administrate over customer operations, MSSPs on the other hand typically establish a security operations center (SOC), which is responsible for protecting the infrastructure (networks, applications, databases, servers, etc.). However, as Keve notes, “if an MSP takes security seriously as part of its business, it may also operate a NOC.”

Organizations will commonly rely on both an MSP and an MSSP.  “At Simeio, we work primarily with our clients, but we will often interoperate with functions out-sourced to a third-party, such as an MSP,” says Keve.


Understanding managed security service provider (MSSP)

MSSPs are best defined as IT experts who zeroed in on improving digital security. These groups provide everything, from firewalls to intrusion detection monitoring, spam blocking, virus blocking and the management of private networks. Some MSSPs offer additional features, ranging from upgrades to system alterations and beyond.

What matters most is whether the provider in question earns its keep. Take some time to perform research on prospective MSSPs. Do not stop digging until you find a provider with glowing references, excellent reviews, and a polished website.

CHOOSING THE RIGHT MANAGED SECURITY SERVICE PROVIDER FOR YOUR BUSINESS

You should know exactly what you need from an MSSP prior to making a commitment or even researching candidates. Once you know exactly what your company needs, ensure that the provider in question is capable of actually delivering the promised services. If a candidate seems incapable of providing even one of the services your business needs, rule them out right away.

What managed security service providers are used for

MSSPs have their own unique specialties, merits, and weaknesses. Though these companies generally do the same things, one might be ideally suited for your business, while others aren’t suitable for your unique operations. Find a cyber security group in New York with a proven track record in your industry, ensure their terms, costs, manpower and expertise are a fit and there will be a seamless integration into your business.

Why do organizations rely on MSSPs?

It is important to generate a nuanced service level agreement with the MSSP you favor. This agreement guarantees both parties fully comprehend each’s expectations and requirements. The relationship should ultimately prove mutually beneficial. If you are even slightly suspicious the MSSP is incapable of safeguarding your digital information, clients, employees, and business, move on to the next candidate. In the end, a group that does not earn its keep should not be trusted to protect your most important information.

Risk Facing Financial Services

Risk Facing Financial Services

Financial services institutions have changed significantly over the last decade – from utilizing technology in new ways to stay competitive and drive efficiencies, to adapting business practices in light of the global financial crisis and recent narrow interest margin markets.

As these businesses evolve, they’re faced with a new range of exposures that can result in significant and lasting commercial costs, and traditional exposures come to light in a different context. Crime has also changed for these businesses, with a growing number of attacks against financial institutions taking place online and through digital means.

To better understand this changing landscape, we’ve outlined the top risks facing financial institutions today:

 

Social engineering and funds transfer fraud

Financial Services .jpg

Some of the most frequent cyber claims made by businesses in the past year involved funds transfer fraud and some form of social engineering. Funds transfer fraud is often carried about by criminals leveraging fraudulent emails or phone calls to request the transfer of funds from a legitimate account to their own. In some cases, fraudsters will pose as a senior executive appearing to give urgent instructions to a junior employee. While financial institutions have greater control processes, including separation of responsibilities, both banks and their clients are at risk of falling victim to these types of attacks, and as long as they continue to prove successful, we expect this threat to grow in both frequency and severity. Financial institutions should consider employee training on these newer forms of fraud, including how to identify phishing emails. Banks should also be concerned about their customers’ susceptibility to social engineering fraud, and should consider education campaigns where relevant.

 Adherence to post-crisis regulation

Following the mortgage crisis in 2007-2008 and the subsequent global financial crisis, the regulatory burden for banks has increased significantly. This brings additional costs when meeting these new requirements, along with higher potential penalties if an institution fails to comply. In many instances, resultant fines and penalties following regulatory failures are uninsured or uninsurable. Financial institutions should seek cover where regulatory enquiry costs and expenses are covered.

 Falling prey to predatory banking

Financial institutions have found themselves in a narrow interest margin environment, which means the pressure on banks to generate revenue from non-interest earnings is intense. In some cases, the desire to drive revenue through new or existing products has led to instances of selling inappropriate products to consumers, resulting in significant consumer claims. Institutions must ensure that their products are suitable and that they meet the needs of the consumer and the consumer’s expectations. It’s also important for institutions to ensure their remuneration policies do not inadvertently encourage the miss-selling of products. The fallout from consumer protection scandals can be costly not only from a legal and regulatory standpoint, but also in terms of damage to the brand.

 Reputational damage

Predatory banking is only one type of behavior that can bring reputational harm to financial institutions. Large institutions can suffer backlash for a variety of misdeeds made public, for instance the failure in anti-money laundering controls by Wells Fargo or HSBC, who were hammered in the media for their behavior. On a smaller scale, for regional and community-based institutions, the power of social media can mean that reputational damage spreads far faster than ever before.

 Systemic instability

Nearly a decade later, the effects of the global financial crisis are still being felt by financial institutions around the world. Recent concerns over Deutsche Bank’s operational cut backs and stock price decline have shown there is still uncertainty around the performance of even the biggest financial organizations. Additionally, recent instability in Europe – particularly in Italy and Spain, as well as the still incomplete negotiation – could have effect elsewhere, including the US, where European headquartered institutions such as Deutsche Bank, Barclays and HSBC are systemically significant institutions.

 Challenger banks and new technology

The traditional banking model is increasingly challenged by newcomers trying to use technology to replace existing processes and disrupt the status quo. In the UK and Europe, challenger banks are gaining steam and traction among younger generations and early adopters. In the US, there are few online-only challenger banks, but there is increasing competition from payment processors, online non-bank lenders and other providers who are edging their way towards areas conventionally controlled by banks. The risk for traditional institutions will not only be economic, but they will also need to provide more services to their clients to ensure they are competitive and relevant, and they may need to reassess their cyber exposure as they put more systems online.

 

Cybersecurity Future and Artificial Intelligence (AI)

As businesses struggle to combat increasingly sophisticated cybersecurity attacks, the severity of which is exacerbated by both the vanishing IT perimeters in today’s mobile and IoT era, coupled with an acute shortage of skilled security professionals, IT security teams need both a new approach and powerful new tools to protect data and other high-value assets. Increasingly, they are looking to artificial intelligence (AI) as a key weapon to win the battle against stealthy threats inside their IT infrastructures, according to a new global research study conducted by the Ponemon Institute on behalf of Aruba, a Hewlett Packard Enterprise company (NYSE:HPE).

The Ponemon Institute study, entitled “Closing the IT Security Gap with Automation & AI in the Era of IoT,” surveyed 4,000 security and IT professionals across the Americas, Europe and Asia to understand what makes security deficiencies so hard to fix, and what types of technologies and processes are needed to stay a step ahead of bad actors within the new threat landscape.

The research revealed that in the quest to protect data and other high-value assets, security systems incorporating machine learning and other AI-based technologies are essential for detecting and stopping attacks that target users and IoT devices. The majority of respondents agree that security products with AI functionality will help to:

  • Reduce false alerts (68 percent)

  • Increase their team’s effectiveness (63 percent)

  • Provide greater investigation efficiencies (60 percent)

  • Advance their ability to more quickly discover and respond to stealthy attacks that have evaded perimeter defense systems (56 percent)

Twenty-five percent of respondents said they currently use some form of an AI-based security solution, with another 26 percent stating they plan on deploying these types of products within the next 12 months.

Current Security Tools are not Enough

“Despite massive investments in cybersecurity programs, our research found most businesses are still unable to stop advanced, targeted attacks – with 45 percent believing they are not realizing the full value of their defense arsenal, which ranges from 10 to 75 security solutions,” said Larry Ponemon, chairman, Ponemon Institute. “The situation has become a ‘perfect storm,’ with nearly half of respondents saying it’s very difficult to protect complex and dynamically changing attack surfaces, especially given the current lack of security staff with the necessary skills and expertise to battle today’s persistent, sophisticated, highly trained, and well-financed attackers. Against this backdrop, AI-based security tools, which can automate tasks and free up IT personnel to manage other aspects of a security program, were viewed as critical for helping businesses keep up with increasing threat levels.”

IoT and Cloud Adds Significant Risk

Ponemon researchers found that the majority of IT security teams believe that a key gap in their company’s overall security strategy is their inability to identify attacks that use IoT devices as the point of entry. In fact, more than three-quarters of respondents believe their IoT devices are not secure, with 60 percent stating even simple IoT devices pose a threat. Two-thirds of respondents admitted they have little or no ability to protect their “things” from attacks. Continuous monitoring of network traffic, closed-loop detection and response systems, and detecting behavioral anomalies among peer groups of IoT devices, were cited as the most effective approaches to better protect their environments.

Even the ownership model for IoT security presents potential risk. When asked who inside their organization was responsible for IoT security, responses ranged from the CIO, CISO, CTO, and line-of-business leaders, with no majority consensus. Only 33 percent identified the CIO, with no other executive or functional group achieving response totals above 20 percent. Surprisingly, “No Function” was the third-highest answer (15 percent).

Survey results also highlighted the importance of visibility and the ability to define which resources that people and IoT devices can access, with 63 percent of respondents stating network access control is an important element of their company’s overall security strategy and critical for reducing the reach of inside exploits. Also cited as important was having detailed information about applications (71 percent), endpoints (69 percent), cloud (64 percent), and networks (63 percent), with more than half saying they currently deploy network access control solutions for enabling visibility and control across both wired and wireless networks.

Additionally, more than half of respondents said it’s hard to protect expanding and blurring IT perimeters resulting from requirements to concurrently support IoT, BYOD, mobile, and cloud initiatives (55%).

“Partnering with the Ponemon Institute helps us to improve customer experiences by better understanding security teams’ challenges, and then arming them with advanced solutions that enable quick identification and responses to an ever-changing threat landscape,” said Larry Lunetta, vice president of security solutions marketing for Aruba. “The insight gained from this study enables us to continually improve our ability to provide an enterprise wired and wireless network security framework with an integrated and more comprehensive approach for gaining back visibility and control.”

Apple Integrate Security Controls in iOS 12 Core

Apple Integrate Security Controls in iOS 12 Core

Apple's latest update for iOS incorporates ways to stop Safari snooping, data leaks, password reuse, and hacking.

In what has become one of the rituals of fall along with leaf peeping, tailgating, and apple picking, Apple recently introduced a new lineup of iThingies, complete with slick new iPhones and oversized Apple Watches. They all look really nice. But the most important release isn’t the (unironically named) iPhone XS or super-powerful MacBook Pro, it’s iOS 12.

The iPhone is the leader in the clubhouse as the most secure general-purpose computing device on the market. Apple’s control of both the hardware and software development process and ecosystem make the iPhone/iOS platform one of the harder targets there is for attackers at the moment. The company has been adding security features to both the hardware and software at a steady pace since the iPhone’s introduction, and iOS 12, which Apple released this week, brings several important new protections with it.

The features that will probably make the biggest immediate difference to most users are the addition of automatic strong passwords in Safari and security code AutoFill. Creating and remembering strong passwords is a pain so people often just fall back on something that’s easy to remember, which also means it’s probably easy for an attacker to guess. In iOS 12, Apple has added the capability for Safari to suggest strong, complex passwords automatically, something that has been available on the desktop version of the browser for a while. The second authentication change is a feature that will automatically fill in one-time passcodes sent via SMS. While SMS-based two-step verification isn’t the strongest option, it’s significantly better than a password alone, and Apple is making it much easier for people to use it by removing the need to copy and paste or remember those codes to enter them in apps.

Another major upgrade to the security of iOS is the inclusion of automatic software updates. Most desktop platforms have had automatic updates as an option for many years, but it’s taken a while for that feature to reach mobile devices. Until now, iPhone users needed to go into the App Store app and manually click on the Update option for each installed app. The same was true for iOS itself. In iOS 12, users have the option of setting iOS and all of the installed apps to update automatically, ensuring that the latest version is always installed. Even the minor releases of iOS come with security and bug fixes and are important for users to install, but many people aren’t even aware when new versions come out. Having automatic updates enabled takes the human part of that out of the equation.

There’s also a feature that’s less obvious but can be an important defense against some attacks. Apple has added a function called USB Restricted Mode that prevents any USB accessory from interacting with an iPhone if the device has been locked for more than an hour. The feature is buried in the Settings under the Touch ID & Passcode option and it can protect iPhones against attacks that use exploits delivered over the USB Lightning port.

On the privacy side of things, iOS 12 includes functionality in Safari that prevents third-party trackers on sites from following a user’s movements across the web without the user’s permission. It’s an important change, given how pervasive third-party tracking has become.

“Safari now prevents Share buttons and comment widgets on web pages from tracking you without your permission. Safari also prevents advertisers from collecting your device’s unique characteristics, so they can’t identify your device or retarget ads to you across the web,” Apple’s notes for iOS 12 say.

The iOS 12 update is available now. Get it.

FBI: Protecting Your Networks from Ransomware

Protecting Your Networks from Ransomware

Ransomware is the fastest growing malware threat, targeting users of all types—from the home user to the corporate network. On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016. This is a 300-percent increase over the approximately 1,000 attacks per day seen in 2015. There are very effective prevention and response actions that can significantly mitigate the risk posed to your organization.

Ransomware targets home users, businesses, and government networks and can lead to temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files, and potential harm to an organization’s reputation. 

 Ransomware may direct a user to click on a link to pay a ransom; however, the link may be malicious and could lead to additional malware infections. Some ransomware variants display intimidating messages, such as: 

 “Your computer was used to visit websites with illegal content. To unlock your computer, you must pay a $100 fine.”

 “You only have 96 hours to submit the payment. If you do not send money within provided time, all your files will be permanently encrypted and no one will be able to recover them.”

 What is Ransomware”

Ransomware is a form of malware that targets your critical data and systems for the purpose of extortion. Ransomware is frequently

delivered through spearphishing emails. After the user has been locked out of the data or system, the cyber actor demands a ransom payment. After receiving payment, the cyber actor will purportedly provide an avenue to the victim to regain access to the system or data. Recent iterations target enterprise end users, making awareness and training a critical preventive measure.

             

Protecting Your Networks

Educate Your Personnel

Attackers often enter the organization by tricking a user to disclose a password or click on a virus-laden email attachment. Remind employees to never click unsolicited links or open unsolicited attachments in emails. To improve workforce awareness, the internal security team may test the training of an organization’s workforce with simulated phishing emails. For additional information on Avoiding Social Engineering and Phishing Attacks.

 Ransomware Proactive Prevention is the Best Defense

Prevention is the most effective defense against ransomware and it is critical to take precautions for protection. Infections can be devastating to an individual or organization, and recovery may be a difficult process requiring the services of a reputable data recovery specialist.

The U.S. Government (USG) recommends that users and administrators take the following preventive measures to protect their computer networks from falling victim to a ransomware infection:

Ransomware Preventive Measures

• Implement an awareness and training program. Because end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.

• Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.

• Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.

• Configure firewalls to block access to known malicious IP addresses.

• Patch operating systems, software, and firmware on devices. Consider using a centralized patch management system.

• Set anti-virus and anti-malware programs to conduct regular scans automatically.

• Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary.

• Configure access controls—including file, directory, and network share permissions— with least privilege in mind. If a user only needs to read specific files, the user should not have write access to those files, directories, or shares.

• Disable macro scripts from office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full office suite applications.

• Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.

• Consider disabling Remote Desktop protocol (RDP) if it is not being used.

• Use application whitelisting, which only allows systems to execute programs known and permitted by security policy.

• Execute operating system environments or specific programs in a virtualized environment.

• Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units. Business Continuity Considerations

• Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it is working.

• Conduct an annual penetration test and vulnerability assessment.

• Secure your backups. Ensure backups are not connected permanently to the computers and networks they are backing up. Examples are securing backups in the cloud or physically storing backups offline. Some instances of ransomware have the capability to lock cloud-based backups when systems continuously back up in real time, also known as persistent synchronization. Backups are critical in ransomware recovery and response; if you are infected, a backup may be the best way to recover your critical data.

What to Do If Infected with Ransomware

Should preventive measures fail, the USG recommends that organizations consider taking the following steps upon an infection with ransomware:

• Isolate the infected computer immediately. Infected systems should be removed from the network as soon as possible to prevent ransomware from attacking network or share drives.

• Isolate or power-off affected devices that have not yet been completely corrupted. This may afford more time to clean and recover data, contain damage, and prevent worsening conditions.

• Immediately secure backup data or systems by taking them offline. Ensure backups are free of malware.

• Contact law enforcement immediately. We strongly encourage you to contact a local field office of the Federal Bureau of Investigation (FBI) or U.S. Secret Service immediately upon discovery to report a ransomware event and request assistance.

• If available, collect and secure partial portions of the ransomed data that might exist.

• If possible, change all online account passwords and network passwords after removing the system from the network. Furthermore, change all system passwords once the malware is removed from the system.

• Delete Registry values and files to stop the program from loading.

Implement your security incident response and business continuity plan. Ideally, organizations will ensure they have appropriate backups, so their response to an attack will simply be to restore the data from a known clean backup. Having a data backup can eliminate the need to pay a ransom to recover data.

There are serious risks to consider before paying the ransom. USG does not encourage paying a ransom to criminal actors. However, after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup. Ransomware victims may also wish to consider the following factors:

• Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom.

• Some victims who paid the demand were targeted again by cyber actors.

• After paying the originally demanded ransom, some victims were asked to pay more to get the promised decryption key.

• Paying could inadvertently encourage this criminal business model.

How Law Enforcement Can Help

Any entity infected with ransomware should contact law enforcement immediately. Law enforcement may be able to use legal authorities and tools that are unavailable to most organizations. Law enforcement can enlist the assistance of international law enforcement partners to locate the stolen or encrypted data or identify the perpetrator. These tools and relationships can greatly increase the odds of successfully apprehending the criminal, thereby preventing future losses.

Federal law enforcement places a priority on conducting cyber investigations in a manner that causes minor disruption to a victim entity’s normal operations and seeks to work cooperatively and discreetly with that entity. Federal law enforcement uses investigative measures that avoid unnecessary downtime or displacement of a company’s employees. Federal law enforcement closely coordinates its activities with the affected organization to avoid unwarranted disclosure of information.

As an affected entity recovers from a cybersecurity incident, the entity should initiate measures to prevent similar incidents. Law enforcement agencies and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center can assist organizations in implementing countermeasures and provide information and best practices for avoiding similar incidents in the future. Additionally, the affected organization should conduct a post-incident review of their response to the incident and assess the strengths and weaknesses of its incident response plan.

Ransomware Variants

Ransomware is a growing criminal activity involving numerous variants. Since 2012 when police locker ransomware variants first emerged, ransomware variants have become more sophisticated and destructive. Some variants encrypt not just the files on the infected device, but also the contents of shared or networked drives, externally attached storage media devices, and cloud storage services that are mapped to infected computers. These variants are considered destructive because they encrypt users’ and organizations’ files, and render those files useless until a ransom is paid.

Recent federal investigations by the FBI reveal that ransomware authors continue to improve ransomware code by using anonymizing services like “Tor ” for end-to-end communication to infected systems and Bitcoin virtual currency to collect ransom payments. Currently, the top five ransomware variants targeting U.S. companies and individuals are CryptoWall, CTBLocker, TeslaCrypt, MSIL/Samas, and Locky. New ransomware variants are continually emerging.

CryptoWall

CryptoWall and its variants have been actively used to target U.S. victims since April 2014.

CryptoWall was the first ransomware variant that only accepted ransom payments in Bitcoin.

The ransom amounts associated with CryptoWall are typically between $200 and $10,000. Following the takedown of the CryptoLocker botnet, CryptoWall has become the most successful ransomware variant with victims all over the world. Between April 2014 and June 2015, IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million. CryptoWall is primarily spread via spam email but also infects victims through drive-by downloads and malvertising .

CTB-Locker

CTB-Locker emerged in June 2014 and is one of the first ransomware variants to use Tor for its C2 infrastructure. CTB-Locker uses Tor exclusively for its C2 servers and only connects to the C2 after encrypting victims’ files. Additionally, unlike other ransomware variants that utilize the Tor network for some communication, the Tor components are embedded in the CTBLocker malware, making it more efficient and harder to detect. CTB-Locker is spread through drive-by downloads and spam emails.

TeslaCrypt

TeslaCrypt emerged in February 2015, initially targeting the video game community by encrypting gaming files. These files were targeted in addition to the files typically targeted by ransomware (documents, images, and database files). Once the data was encrypted, TeslaCrypt attempted to delete all Shadow Volume Copies and system restore points to prevent file recovery. TeslaCrypt was distributed through the Angler, Sweet Orange, and Nuclear exploit kits.

MSIL or Samas (SAMSAM)

MSIL or Samas (SAMSAM) was used to compromise the networks of multiple U.S. victims, including 2016 attacks on healthcare facilities that were running outdated versions of the JBoss content management application. SAMSAM exploits vulnerable Java-based Web servers. SAMSAM uses open-source tools to identify and compile a list of hosts reporting to the victim’s active directory. The actors then use psexec.exe to distribute the malware to each host on the network and encrypt most of the files on the system. The actors charge varying amounts in Bitcoin to provide the decryption keys to the victim.

Locky

In early 2016, a destructive ransomware variant, Locky, was observed infecting computers belonging to businesses globally, including those in the United States, New Zealand, Australia, Germany and the United Kingdom. Locky propagates through spam emails that include malicious Microsoft Office documents or compressed attachments (e.g., .rar, .zip) that were previously associated with banking Trojans such as Dridex and Pony. The malicious attachments contain macros or JavaScript files to download the Locky files. Recently, this ransomware has also been distributed using the Nuclear Exploit Kit.

Links to Other Types of Malware

Systems infected with ransomware are also often infected with other malware. In the case of

CryptoLocker, a user typically was infected by opening a malicious attachment from an email.

This malicious attachment contained Upatre, a downloader, which infected the user with GameOver Zeus. GameOver Zeus was a variant of the Zeus Trojan used to steal banking information and other types of data. After a system became infected with GameOver Zeus, Upatre would also download CryptoLocker. Finally, CryptoLocker encrypted files on the infected system and demanded a ransom payment.

The disruption operation against the GameOver Zeus botnet also affected CryptoLocker, demonstrating the close ties between ransomware and other types of malware. In June 2014,

an international law enforcement operation successfully weakened the infrastructure of both

GameOverZeus and CryptoLocker.

Cyber security IT skills in-demand in US

There’s no doubt that demand for the technologically skilled will only increase in the upcoming years, as practically every company becomes a software-driven enterprise. A survey by the jobs site Monster found that in the US, jobs in the digital sector have multiplied at more than twice the rate of other non-digital tech sectors, and are predicted to grow by 20% in the next decade.

However, which skills will be particularly in demand? While it’s unlikely that the IT skills demanded by the jobs market today will become redundant within our lifetimes, the field is constantly evolving, and there are certainly growth areas on the horizon that IT professionals would do well to educate themselves in.

Cyber security

Cyber security is an area set to grow exponentially in importance in the upcoming years. Every time a breach is suffered by an organisation, there is a huge cost both in terms of financial loss and loss of reputation and brand value.

A recent study carried out by jobs site Indeed indicated that the US is dangerously short on cyber security skills and that the number of cyber security jobs advertised in the US is the third highest globally, meaning demand exceeded candidate interest by more than three times.

Development

Demand for skills in development is here to stay (for the time being anyway – this could change as soon as AI is more widely used to code). In 2017, the demand for software developers and engineers increased by 13% in the UK.

Devops

Another important area of growth is the trend for companies to take a devops approach to their IT departments, meaning that developers well versed in this outlook will be the most employable.

Cloud computing

It’s widely recognised that cloud computing is the future, and every IT professional should feel comfortable using these systems. Demand for cloud infrastructure specialists is increasing across the board.

Machine Learning and AI

These are two obvious areas of increasing growth. In the US, demand for AI jobs increased threefold between 2015 and 2018, even surpassing the UK in terms of demand.

HOW DOES RANSOMWARE WORK?

HOW DOES RANSOMWARE WORK?

  1. Ransomware infections occur when a user opens a malicious email attachment, clicks on a malicious link, or visits a website infected with malicious code, known as a drive-by download.

  2. Once a system is infected, the ransomware contacts a command and control (C2) server to generate an encryption key and begins encrypting files on the victim’s machine.

  3. The ransomware runs quietly in the background performing in-depth searches of all disk folders, including removable drives and network shares, and encrypts as many files as it can.

  • Ransomware may also delete Shadow Volume Copies, destroy restore points, and overwrite free disk space to prevent victims from recovering their files and systems without paying the ransom.

  • If a system is powered off as files are being encrypted, some ransomware variants resume where they left off when the system or device is powered on again.

After files are encrypted, a ransom note is displayed on the screen with instructions on how and where to pay the ransom and the length of time before the hacker or software destroys the decryption key.

  • Some recent variants offer victims a ‘second chance’ to pay after the initial timer expires; however, the ‘second chance’ is often at least double the original ransom amount.

  1. If the victim pays the ransom, the malware is supposed to contact the C2 server for the decryption key and begin decrypting the victim’s files; however, in many cases, the files are never decrypted.

  • Some ransomware files can delete themselves in order to avoid detection and analysis by security researchers or law enforcement.

CyberSecOP: Ransomware Remediation and Prevention Service

RANSOMWARE MITIGATION STRATEGIES

For many organizations, preventing ransomware entirely is nearly impossible, however, the impact of a successful infection can be greatly reduced if a robust data backup process is in place. Comprehensive data backups should be scheduled as often as possible and must be kept offline in a separate and secure location. The most effective method to prevent ransomware infections is to conduct regular training and awareness exercises with all employees to ensure users are proficient in safe Internet-browsing techniques and the ability to identify phishing emails. For specific recommendations for data protection, systems management, network management, mobile device management, and post-infection remediation.